-
-
Notifications
You must be signed in to change notification settings - Fork 884
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding honeypot to user and post creation. Fixes #1802 #1803
Conversation
Maybe this could be implemented directly in lemmy-ui, without changing anything in the backend? |
It needs a back-end check, because a good bot could bypass any javascript protections: |
I mean that lemmy-ui could run some server-side js code to perform this check. |
You mean as part of the isomorphic layer? That'd be way too complicated to intercept. |
Alright. In fact I was thinking it would be nice to move user settings which are specific to lemmy-ui (like theme) out of lemmy, and handle them entirely in lemmy-ui instead. That would mean lemmy-ui gets its own database connection to store those things. It would make changes to settings much easier, and we wouldnt have to worry about backwards compatibility. But of course that would be even more complicated. |
About this PR, just after merging I'm thinking that its actually not implemented in a good way. First of all, the field is named honeypot, which makes it very easy for a bot to distinguish. It might be better to give it a different name in the API, and just mention in the docs that its for honeypot. Also, this section from your second link:
So I think that honeypot_check should actually return HTTP 200, and also return a random LoginResponse. |
I was thinking instead, that we should just ban and mass delete content for any account with those fields filled. Then we won't have to do that manually. But that's something we can add later. I'm not sure about the field name either... at least on the front end I have them renamed to other things, but you're right any bot doing it through the api might ignore that field name. |
With the implementation in this PR, having that field filled means that account creation fails in the first place, so there is no possibility for bots to create accounts (except for old bot accounts that registered before deploying this). So for that to make sense, it would have to actually create the account if honeypot is filled, and add a bot flag. Not sure thats worth the trouble. |
Ah, I meant for the post create honeypot. But yeah we can worry about that later. |
No description provided.